CA policy Intune non compliant device

%3CLINGO-SUB%20id%3D%22lingo-sub-2685362%22%20slang%3D%22en-US%22%3ECA%20policy%20Intune%20non%20compliant%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2685362%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EI%20have%20the%20following%20requirement.%20Can%20this%20be%20done%20using%20one%20CA%20policy%2C%20if%20so%20can%20i%20get%20an%20example%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3EIf%20a%20user%20does%20not%20enroll%20in%20Intune%2C%20we%20want%20to%26nbsp%3B%20block%20them%20from%20accessing%20mail%20via%20integrated%20app%20(iOS%20Mail%2C%20Android%20Mail%2C%20etc)%20and%20also%20Outlook%20for%20iOS%2FAndroid%26nbsp%3B%20but%20allow%20access%20to%20Teams%3F%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2685362%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2685401%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20policy%20Intune%20non%20compliant%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2685401%22%20slang%3D%22en-US%22%3EYou%20should%20be%20able%20to%20do%20this%20by%20creating%20a%20CA%20policies%20that%20targets%20Exchange%20Online%2C%20set%20the%20device%20platform%20to%20iOS%20and%20Android%2C%20select%20client%20apps%20as%20browser%20and%20mobile%20and%20desktop%20apps%20(modern%20auth%20and%20Exchange%20ActiveSync)%20and%20grant%20controls%20to%20require%20a%20compliant%20device.%20Also%20have%20a%20look%20at%20device%20state%20to%20determine%20if%20any%20of%20that%20needs%20to%20be%20set%20in%20your%20case.%20Since%20this%20targets%20just%20Exchange%20Online%20on%20iOS%20and%20Android%2C%20any%20other%20apps%20will%20be%20allowed.%3C%2FLINGO-BODY%3E
Frequent Contributor

Hello

I have the following requirement. Can this be done using one CA policy, if so can i get an example? 

 

If a user does not enroll in Intune, we want to  block them from accessing mail via integrated app (iOS Mail, Android Mail, etc) and also Outlook for iOS/Android  but allow access to Teams?
2 Replies

You should be able to do this by creating a CA policy that targets Exchange Online, set the device platform to iOS and Android, select client apps as browser and mobile and desktop apps (modern auth and Exchange ActiveSync) and grant controls to require a compliant device. Also have a look at device state to determine if any of that needs to be set in your case. Since this targets just Exchange Online on iOS and Android, any other apps will be allowed.

And just exclude TEAMS ?